Security researcher wushi of team509 reported that when a XUL tree had an HTML <div> element nested inside a <treechildren> element then code attempting to display content in the XUL tree would incorrectly treat the <div> element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim's browser and run arbitrary code on their machine.
This is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2010:0966 https://rhn.redhat.com/errata/RHSA-2010-0966.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0967 https://rhn.redhat.com/errata/RHSA-2010-0967.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0968 https://rhn.redhat.com/errata/RHSA-2010-0968.html